Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to threat actors
🇮🇷 IR

CRESCENTHARVEST

Also known asCrescentHarvest

CRESCENTHARVEST is the codename used by Acronis Threat Research Unit (TRU) for a malware campaign potentially targeting supporters of Iran’s ongoing protests for information theft and long-term espionage. Acronis did not attribute the activity to a specific nation-state or APT group, but reported that the victimology, tradecraft, and scripting showed similarities to Iranian-aligned activity previously described by Check Point Research. The content also separately lists CRESCENTHARVEST among pre-existing cyber actors active before February 28 in campaigns involving phishing, exploitation of public servers, and information theft targeting Israeli, US, and regional networks, but does not provide high-confidence attribution beyond that mention. The campaign used protest-themed Farsi lures, including decoy images/videos and a Farsi-language report referencing the “rebellious cities of Iran.” Delivery was believed to occur via .RAR archives or files sent over time, containing malicious Windows .LNK shortcut files disguised as media. When executed, the .LNK files launched nested headless conhost.exe processes, then cmd.exe and PowerShell, extracted an embedded ZIP payload to %TEMP%, established persistence via a scheduled task triggered by Windows NetworkProfile connectivity events, and displayed benign decoy media. Payload execution relied on DLL sideloading using a legitimate Google-signed software_reporter_tool.exe binary to load malicious DLLs. One DLL, urtcbased140d_d.dll, extracted and decrypted Chrome app-bound encryption keys and passed them locally via a named pipe. The other, version.dll, functioned as a RAT and information stealer. Reported capabilities included command execution, browser credential/cookie/history theft from Firefox, Chrome, and Edge, Telegram Desktop session theft, keylogging, local user enumeration, antivirus profiling via WMI, and JSON-over-HTTPS command-and-control. The malware also used dynamic API resolution and anti-analysis behavior involving Windows Job Objects. Observed C2 infrastructure included servicelog-information[.]com and 185.242.105.230, with Acronis noting intermittent Cloudflare proxying. Acronis reported the campaign was active no earlier than January 9 based on the earliest decoy image date. The content notes similarities to activity tracked by Check Point as Educated Manticore, which overlaps with APT42, Charming Kitten, and Mint Sandstorm, but this is presented as similarity rather than confirmed attribution.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they target

Geographies tied to known operations.

  • 🇮🇱 Israel
  • 🇺🇸 United States

Where they're from

Attributed origin per open-source reporting.

  • IR
MITRE ATT&CK

Tradecraft

3 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

2 of 15 tactics3 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
2 techniques
T1190×3
Exploit Public-Facing Application
T1566×3
Phishing
TA0009
Collection
1 technique
T1213×2
Data from Information Repositories
ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app
thecyberexpress com vulnerabilitiesNews
Mar 3, 2026
Middle East Hybrid Warfare: Iran-US-Israel Cyber Clash

Referenced as a named activity cluster amplifying the conflict via phishing, data theft, and server exploitation.

Read more
cyble blogNews
Mar 3, 2026
Middle East Conflict: Iran-US-Israel Cyber-Kinetic Crisis

Named as part of the pre-existing APT landscape active prior to Feb 28; associated activity described as phishing, exploitation of public servers, and information theft targeting Israeli, US, and regional networks.

Read more
cyble blogNews
Mar 3, 2026
Middle East Conflict: Iran-US-Israel Cyber-Kinetic Crisis

Named activity cluster referenced in Iran-linked pre-conflict cyber campaigns using phishing, server exploitation, and information theft.

Read more
govinfosecurityNews
Feb 17, 2026
Fresh Cyberespionage Operation Tied to Iranian Surveillance

Acronis-tracked cyberespionage/surveillance activity using protest-themed Farsi lures delivered via malicious .rar archives containing weaponized .lnk files that extract and persist an info-stealing/backdoor payload; targets appear linked to Iranian dissident monitoring, potentially including dissidents abroad.

Read more
+2 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping3

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.